Security in the Software Development Lifecycle: “Build Security In”
Security should be considered at all phases of the software development lifecycle.
The traditional Software Development Lifecycle (SDLC) is a structured methodology for developing software. These phases of development include:
- Analysis or requirements gathering — clearly defining the problem or project
- Design or planning– creating an algorithmic solution for the problem
- Implementation– coding the solution using a programming language, and running for correctness
- Testing– formally testing and debugging
- Maintenance– maintaining, changing, and documenting the program
Since security has become a more prevalent concern, it is important to consider security at all stages of a software project. Building secure software is more effective than adding security features after the project is complete.
Risk — What’s the Risk?:
Poor design and insufficient testing lead to insecure software. Most security issues result from attacks exploiting insecure software.
- In 2002, in response to the proliferation of security issues, including terrorist attacks and malicious software, Bill Gates wrote a famous “security evangelist” memo (found here), committing his company to building secure software.
- Thousands of vulnerabilities are reported each year (see here). At the same time, the number and severity of attacks continue to increase.
- Type in the following program exactly as written. Include your name and date.
- Compile: There should be a syntax error. The compiler should give some indication of where the error occurred. Correct the error and compile again.
- Run: Examine the output carefully.
- Look for errors. You should see a spelling error in the output. This is an example of a bug or logic error.
- Correct the error, compile, and run again.
- Examine the output again. If you carefully completed the background section, you will see that 6 is incorrect. Security features should not be added after the program is complete, but should be included at all levels of the SDLC. Revise the program (remove step 6 and add “with security in mind” at each step), so that it produces the correct output.
- What is the role of the compiler?
- What is a syntax error? What was the syntax error in the above program? What happens when you have a syntax error in your program?
- What is a logic error or bug? What was the logic error in the above program?
- In one sentence, summarize the difference between syntax errors and logic errors.
Introduction to Checklists
Checklists are used by airline pilots, in emergency rooms in hospitals, and increasingly in the software industry, to enforce safety procedures. We will use checklists throughout these modules, primarily to check the security of our code. Use the following checklist to ensure you have completed this lab correctly.
|Intro to the SDLC: CS0|
|Look at your output from Program 1:||Completed|
|1. Is security considered in the analysis phase, when you are defining the problem?|
|2. Is security considered in the design phase?|
|3. Is security considered in the implementation phase?|
|4. Is security considered in the testing phase?|
|5. Is security considered in the maintenance phase?|
|6. Is security considered in all parts of the SDLC?|
|If you answered yes to all of the above questions, you are describing the Secure Development Lifecycle (SDLC)|
- Where do you think security should fit into the SDLC?
- Why is security more of a concern than it was 10 years ago?
- If a program has no syntax errors, can we assume the program will run correctly?
- If a program has no syntax errors, can we assume that it is secure?
- Compare software security and security software.